Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why did our search head crash? and how can we prevent it?

danielbb
Motivator
‎04-23-2020 06:37 AM

Our search head crashed, saying -

-- Apr 23 09:00:35 kernel: Out of memory: Kill process 2137 (splunkd) score 162 or sacrifice child

Two instances of the TA-check-point-app-for-splunk ran - one for 21 minutes consuming 21 GBs of memory and the other for 11 minutes, consuming 11 GBs.

How can we put safe-guards to prevent it?

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-23-2020 07:21 AM

The SH crashed because the OS killed it for using too much memory.

One solution is to add more memory to the SH, but that may be a short-term fix.

More important than knowing which apps were running at the time is knowing which searches were running at the time. Once you know that you can take steps to prevent future crashes, such as:

  • Make the searches more efficient
  • Schedule the searches so they don't run at the same time.
---
If this reply helps you, Karma would be appreciated.
Reply

danielbb
Motivator
‎05-25-2020 06:02 PM

We decided to use the enable_memory_tracker feature as in How can I generate a search which uses lots of memory?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...